laxy-verify 1.2.2 → 1.3.0

package/dist/secret-scan.d.ts

@@ -0,0 +1,15 @@
+export interface SecretScanResult {
+    passed: boolean;
+    findings: SecretFinding[];
+    filesScanned: number;
+    skipped: boolean;
+}
+export interface SecretFinding {
+    file: string;
+    line: number;
+    pattern: string;
+    preview: string;
+}
+export declare function runSecretScan(projectDir: string, options?: {
+    ignorePaths?: string[];
+}): Promise<SecretScanResult>;

package/dist/secret-scan.js

@@ -0,0 +1,218 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.runSecretScan = runSecretScan;
+/**
+ * Secret/credential leak scanner.
+ *
+ * Scans source files for hardcoded secrets using regex patterns.
+ * Supports ignore paths and custom ignore patterns from .laxy.yml.
+ */
+const fs = __importStar(require("node:fs"));
+const path = __importStar(require("node:path"));
+const DEFAULT_IGNORE_DIRS = new Set([
+    "node_modules",
+    ".git",
+    ".next",
+    "dist",
+    "build",
+    ".laxy-tmp",
+    ".laxy-baselines",
+    "coverage",
+    ".cache",
+    "test",
+    "tests",
+    "__tests__",
+    "spec",
+]);
+const SECRET_PATTERNS = [
+    { name: "AWS Access Key", regex: /AKIA[0-9A-Z]{16}/ },
+    { name: "AWS Secret Key", regex: /(?:aws_secret_access_key|AWS_SECRET_ACCESS_KEY)\s*[=:]\s*['"][A-Za-z0-9/+=]{40}['"]/ },
+    { name: "GitHub Token", regex: /ghp_[A-Za-z0-9]{36}/ },
+    { name: "GitHub OAuth", regex: /gho_[A-Za-z0-9]{36}/ },
+    { name: "GitHub App Token", regex: /(?:ghs_|ghu_)[A-Za-z0-9]{36}/ },
+    { name: "Slack Token", regex: /xox[baprs]-[A-Za-z0-9-]{10,}/ },
+    { name: "Slack Webhook", regex: /hooks\.slack\.com\/services\/T[A-Z0-9]+\/B[A-Z0-9]+\/[A-Za-z0-9]+/ },
+    { name: "Private Key Block", regex: /-----BEGIN (?:RSA |EC |DSA )?PRIVATE KEY-----/ },
+    { name: "Google API Key", regex: /AIza[0-9A-Za-z_-]{35}/ },
+    { name: "Google OAuth Token", regex: /[0-9]+-[a-z0-9_]{32}\.apps\.googleusercontent\.com/ },
+    { name: "Stripe Secret Key", regex: /sk_live_[0-9a-zA-Z]{24,}/ },
+    { name: "Stripe Publishable Key", regex: /pk_live_[0-9a-zA-Z]{24,}/ },
+    { name: "Twilio API Key", regex: /SK[0-9a-fA-F]{32}/ },
+    { name: "SendGrid API Key", regex: /SG\.[A-Za-z0-9_-]{22}\.[A-Za-z0-9_-]{43}/ },
+    { name: "Mailgun API Key", regex: /key-[0-9a-zA-Z]{32}/ },
+    { name: "Hardcoded Bearer Token", regex: /Bearer\s+[A-Za-z0-9\-._~+/]+=*/ },
+    { name: "JWT-like Secret", regex: /['"]eyJ[A-Za-z0-9\-._~+/]+=*\.[A-Za-z0-9\-._~+/]+=*['"]/ },
+    { name: "Generic Secret Assignment", regex: /(?:secret|password|passwd|token|api_key|apikey|access_key|private_key)\s*[=:]\s*['"][^'"]{8,}['"]/i },
+];
+const ALLOWLIST_PATTERNS = [
+    // Common false positives
+    /process\.env\./,
+    /import\.meta\.env\./,
+    /NEXT_PUBLIC_/,
+    /VITE_/,
+    /REACT_APP_/,
+    /NUXT_ENV_/,
+    /placeholder/i,
+    /example/i,
+    /your[_-]?(?:api|secret|key|token)/i,
+    /xxx+/,
+    /<[^>]+>/,
+    /\$\{\{.*\}\}/, // GitHub Actions / CI template variables
+    /secrets\.[A-Z_]+/, // GitHub Actions secrets references
+    /env\.[A-Z_]+/, // CI env variable references
+    /regex:\s*\//, // Regex pattern definitions in source code
+    /^\s*\/\//, // Single-line comments (// ...)
+    /^\s*\*/, // Block comment lines (* ...)
+    /^\s*<!--/, // HTML comment lines
+];
+function shouldIgnoreLine(line) {
+    return ALLOWLIST_PATTERNS.some((p) => p.test(line));
+}
+/**
+ * Masks potential secret values in a line preview so that
+ * actual credentials are never exposed in JSON output or reports.
+ * Replaces quoted string contents after = or : with ***.
+ */
+function maskSecret(line) {
+    return line
+        // Mask single-quoted values: = '...' or : '...'
+        .replace(/([=:])\s*'([^']{4,})'/g, "$1 '***'")
+        // Mask double-quoted values: = "..." or : "..."
+        .replace(/([=:])\s*"([^"]{4,})"/g, '$1 "***"')
+        // Mask bare tokens after Bearer
+        .replace(/(Bearer\s+)[A-Za-z0-9\-._~+/]+=*/g, "$1***")
+        // Mask AKIA keys
+        .replace(/(AKIA)[0-9A-Z]{16}/g, "$1****************")
+        // Mask ghp_/gho_/ghs_/ghu_ tokens
+        .replace(/(gh[pous]_)[A-Za-z0-9]{36}/g, "$1************************************")
+        // Mask xoxb-/xoxp- etc tokens
+        .replace(/(xox[baprs]-)[A-Za-z0-9-]{10,}/g, "$1**********")
+        // Mask AIza keys
+        .replace(/(AIza)[0-9A-Za-z_-]{35}/g, "$1***********************************")
+        // Mask sk_live_/pk_live_ keys
+        .replace(/(s?k_live_)[0-9a-zA-Z]{24,}/g, "$1************************")
+        // Mask SK hex keys (Twilio)
+        .replace(/(SK)[0-9a-fA-F]{32}/g, "$1********************************")
+        // Mask key- prefix (Mailgun)
+        .replace(/(key-)[0-9a-zA-Z]{32}/g, "$1********************************")
+        // Mask SG. tokens (SendGrid)
+        .replace(/(SG\.)[A-Za-z0-9_-]{22}\.[A-Za-z0-9_-]{43}/g, "$1**********************.*******************************************");
+}
+function scanFile(filePath, relativePath, ignorePatterns) {
+    if (ignorePatterns.some((p) => relativePath.includes(p)))
+        return [];
+    const findings = [];
+    let content;
+    try {
+        content = fs.readFileSync(filePath, "utf-8");
+    }
+    catch {
+        return [];
+    }
+    const lines = content.split("\n");
+    for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        if (shouldIgnoreLine(line))
+            continue;
+        for (const { name, regex } of SECRET_PATTERNS) {
+            if (regex.test(line)) {
+                const preview = maskSecret(line.trim().slice(0, 120));
+                findings.push({
+                    file: relativePath,
+                    line: i + 1,
+                    pattern: name,
+                    preview,
+                });
+                break; // one finding per line max
+            }
+        }
+    }
+    return findings;
+}
+function walkDir(dir, rootDir, ignoreDirs, ignorePatterns) {
+    const results = [];
+    let entries;
+    try {
+        entries = fs.readdirSync(dir, { withFileTypes: true });
+    }
+    catch {
+        return results;
+    }
+    for (const entry of entries) {
+        if (ignoreDirs.has(entry.name))
+            continue;
+        if (entry.name.startsWith(".") && entry.name !== ".env")
+            continue;
+        const fullPath = path.join(dir, entry.name);
+        const relativePath = path.relative(rootDir, fullPath).replace(/\\/g, "/");
+        if (ignorePatterns.some((p) => relativePath.includes(p)))
+            continue;
+        if (entry.isDirectory()) {
+            results.push(...walkDir(fullPath, rootDir, ignoreDirs, ignorePatterns));
+        }
+        else if (entry.isFile()) {
+            const ext = path.extname(entry.name).toLowerCase();
+            if ([".ts", ".tsx", ".js", ".jsx", ".vue", ".svelte", ".env", ".json", ".yml", ".yaml", ".toml", ".py", ".rb"].includes(ext) ||
+                entry.name === ".env" || entry.name.startsWith(".env.")) {
+                results.push(fullPath);
+            }
+        }
+    }
+    return results;
+}
+async function runSecretScan(projectDir, options) {
+    const ignorePatterns = options?.ignorePaths ?? [];
+    const ignoreDirs = new Set(DEFAULT_IGNORE_DIRS);
+    console.log("  Running secret scan...");
+    const files = walkDir(projectDir, projectDir, ignoreDirs, ignorePatterns);
+    const allFindings = [];
+    for (const file of files) {
+        const relativePath = path.relative(projectDir, file).replace(/\\/g, "/");
+        const findings = scanFile(file, relativePath, ignorePatterns);
+        allFindings.push(...findings);
+    }
+    const passed = allFindings.length === 0;
+    if (passed) {
+        console.log(`  Secret scan: OK (${files.length} files scanned)`);
+    }
+    else {
+        console.log(`  Secret scan: ${allFindings.length} finding(s) in ${files.length} files`);
+        for (const f of allFindings.slice(0, 5)) {
+            console.error(`    ${f.file}:${f.line} [${f.pattern}]`);
+        }
+    }
+    return { passed, findings: allFindings, filesScanned: files.length, skipped: false };
+}

package/dist/security-audit.d.ts

@@ -1,9 +1,17 @@
-export interface SecurityAuditResult {
-    totalVulnerabilities: number;
-    critical: number;
-    high: number;
-    moderate: number;
-    low: number;
-    summary: string;
-}
-export declare function runSecurityAudit(cwd: string, timeoutMs?: number): Promise<SecurityAuditResult>;
+export interface SecurityAuditResult {
+    totalVulnerabilities: number;
+    critical: number;
+    high: number;
+    moderate: number;
+    low: number;
+    summary: string;
+    missingHeaders: string[];
+    headerCheckUrl?: string;
+    headerCheckError?: string;
+}
+export declare function auditSecurityHeaders(url: string): Promise<{
+    missingHeaders: string[];
+    checkedUrl: string;
+    error?: string;
+}>;
+export declare function runSecurityAudit(cwd: string, appUrl?: string, timeoutMs?: number): Promise<SecurityAuditResult>;

package/dist/security-audit.js

@@ -1,64 +1,127 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.runSecurityAudit = runSecurityAudit;
-/**
- * npm audit wrapper for Pro/Pro+ security scanning.
- *
- * Runs `npm audit --json` in the project directory and extracts
- * severity counts + a short summary for the verification report.
- */
-const node_child_process_1 = require("node:child_process");
-async function runSecurityAudit(cwd, timeoutMs = 30000) {
-    console.log("  Running security audit (npm audit)...");
-    return new Promise((resolve) => {
-        const chunks = [];
-        const proc = process.platform === "win32"
-            ? (0, node_child_process_1.spawn)(process.env.ComSpec || "cmd.exe", ["/d", "/c", "npm audit --json"], {
-                stdio: ["ignore", "pipe", "pipe"],
-                cwd,
-            })
-            : (0, node_child_process_1.spawn)("npm", ["audit", "--json"], {
-                shell: true,
-                stdio: ["ignore", "pipe", "pipe"],
-                cwd,
-            });
-        const timer = setTimeout(() => {
-            try {
-                proc.kill();
-            }
-            catch { }
-            resolve({ totalVulnerabilities: 0, critical: 0, high: 0, moderate: 0, low: 0, summary: "Audit timed out" });
-        }, timeoutMs);
-        proc.stdout?.on("data", (chunk) => chunks.push(chunk.toString()));
-        proc.stderr?.on("data", () => { }); // ignore stderr
-        proc.on("exit", () => {
-            clearTimeout(timer);
-            const raw = chunks.join("");
-            try {
-                const json = JSON.parse(raw);
-                // npm audit v2 format
-                const meta = json.metadata?.vulnerabilities ?? json.vulnerabilities ?? {};
-                const critical = meta.critical ?? 0;
-                const high = meta.high ?? 0;
-                const moderate = meta.moderate ?? 0;
-                const low = meta.low ?? 0;
-                const total = critical + high + moderate + low;
-                const parts = [];
-                if (critical > 0)
-                    parts.push(`${critical} critical`);
-                if (high > 0)
-                    parts.push(`${high} high`);
-                if (moderate > 0)
-                    parts.push(`${moderate} moderate`);
-                if (low > 0)
-                    parts.push(`${low} low`);
-                const summary = total === 0 ? "No known vulnerabilities" : parts.join(", ");
-                console.log(`  Security: ${summary}`);
-                resolve({ totalVulnerabilities: total, critical, high, moderate, low, summary });
-            }
-            catch {
-                resolve({ totalVulnerabilities: 0, critical: 0, high: 0, moderate: 0, low: 0, summary: "Audit parse failed" });
-            }
-        });
-    });
-}
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.auditSecurityHeaders = auditSecurityHeaders;
+exports.runSecurityAudit = runSecurityAudit;
+/**
+ * npm audit wrapper plus runtime security-header checks.
+ *
+ * The package audit catches known dependency vulnerabilities.
+ * The header audit adds shallow runtime coverage for common missing
+ * browser-enforced protections on the running app.
+ */
+const node_child_process_1 = require("node:child_process");
+async function runNpmAudit(cwd, timeoutMs) {
+    return new Promise((resolve) => {
+        const chunks = [];
+        const proc = process.platform === "win32"
+            ? (0, node_child_process_1.spawn)(process.env.ComSpec || "cmd.exe", ["/d", "/c", "npm audit --json"], {
+                stdio: ["ignore", "pipe", "pipe"],
+                cwd,
+            })
+            : (0, node_child_process_1.spawn)("npm", ["audit", "--json"], {
+                shell: true,
+                stdio: ["ignore", "pipe", "pipe"],
+                cwd,
+            });
+        const timer = setTimeout(() => {
+            try {
+                proc.kill();
+            }
+            catch { }
+            resolve({ totalVulnerabilities: 0, critical: 0, high: 0, moderate: 0, low: 0 });
+        }, timeoutMs);
+        proc.stdout?.on("data", (chunk) => chunks.push(chunk.toString()));
+        proc.stderr?.on("data", () => { });
+        proc.on("exit", () => {
+            clearTimeout(timer);
+            try {
+                const json = JSON.parse(chunks.join(""));
+                const meta = json.metadata?.vulnerabilities ?? json.vulnerabilities ?? {};
+                const critical = meta.critical ?? 0;
+                const high = meta.high ?? 0;
+                const moderate = meta.moderate ?? 0;
+                const low = meta.low ?? 0;
+                resolve({
+                    totalVulnerabilities: critical + high + moderate + low,
+                    critical,
+                    high,
+                    moderate,
+                    low,
+                });
+            }
+            catch {
+                resolve({ totalVulnerabilities: 0, critical: 0, high: 0, moderate: 0, low: 0 });
+            }
+        });
+    });
+}
+async function auditSecurityHeaders(url) {
+    const requiredHeaders = ["X-Frame-Options", "Content-Security-Policy"];
+    const urlObj = new URL(url);
+    if (urlObj.protocol === "https:") {
+        requiredHeaders.push("Strict-Transport-Security");
+    }
+    let response;
+    try {
+        response = await fetch(url, {
+            method: "HEAD",
+            redirect: "follow",
+            signal: AbortSignal.timeout(5000),
+        });
+    }
+    catch {
+        try {
+            response = await fetch(url, {
+                method: "GET",
+                redirect: "follow",
+                signal: AbortSignal.timeout(5000),
+            });
+        }
+        catch (error) {
+            return {
+                missingHeaders: [],
+                checkedUrl: url,
+                error: error instanceof Error ? error.message : String(error),
+            };
+        }
+    }
+    const missingHeaders = requiredHeaders.filter((headerName) => !response.headers.get(headerName));
+    return {
+        missingHeaders,
+        checkedUrl: response.url || url,
+    };
+}
+async function runSecurityAudit(cwd, appUrl, timeoutMs = 30000) {
+    console.log("  Running security audit (npm audit + runtime headers)...");
+    const [npmAudit, headerAudit] = await Promise.all([
+        runNpmAudit(cwd, timeoutMs),
+        appUrl ? auditSecurityHeaders(appUrl) : Promise.resolve(null),
+    ]);
+    const parts = [];
+    if (npmAudit.critical > 0)
+        parts.push(`${npmAudit.critical} critical`);
+    if (npmAudit.high > 0)
+        parts.push(`${npmAudit.high} high`);
+    if (npmAudit.moderate > 0)
+        parts.push(`${npmAudit.moderate} moderate`);
+    if (npmAudit.low > 0)
+        parts.push(`${npmAudit.low} low`);
+    const missingHeaders = headerAudit?.missingHeaders ?? [];
+    if (missingHeaders.length > 0) {
+        parts.push(`missing headers: ${missingHeaders.join(", ")}`);
+    }
+    if (headerAudit?.error) {
+        parts.push(`header check skipped: ${headerAudit.error}`);
+    }
+    const summary = parts.length > 0
+        ? parts.join(" | ")
+        : "No known vulnerabilities or missing security headers";
+    console.log(`  Security: ${summary}`);
+    return {
+        ...npmAudit,
+        summary,
+        missingHeaders,
+        headerCheckUrl: headerAudit?.checkedUrl,
+        headerCheckError: headerAudit?.error,
+    };
+}

package/dist/seo-deep.d.ts

@@ -0,0 +1,24 @@
+/**
+ * Deep SEO audit.
+ *
+ * Checks page-level SEO signals beyond Lighthouse's basic SEO category:
+ * title, meta description, canonical, robots, Open Graph, Twitter Card,
+ * JSON-LD structured data. Runs against the running dev server via HTTP.
+ */
+export interface SeoDeepResult {
+    passed: boolean;
+    checks: SeoCheck[];
+    warningCount: number;
+    errorCount: number;
+    url: string;
+    skipped: boolean;
+    summary: string;
+}
+export interface SeoCheck {
+    key: string;
+    label: string;
+    passed: boolean;
+    value: string | null;
+    severity: "error" | "warning";
+}
+export declare function runSeoDeep(url: string): Promise<SeoDeepResult>;

package/dist/seo-deep.js

@@ -0,0 +1,147 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.runSeoDeep = runSeoDeep;
+async function fetchPageHtml(url) {
+    try {
+        const res = await fetch(url, {
+            signal: AbortSignal.timeout(10000),
+            headers: { "User-Agent": "laxy-verify/1.0" },
+        });
+        if (!res.ok)
+            return null;
+        return await res.text();
+    }
+    catch {
+        return null;
+    }
+}
+function extractMetaContent(html, nameAttr) {
+    // Match <meta name="..." content="..."> or <meta property="..." content="...">
+    const regex = new RegExp(`<meta\\s+(?:name|property)=["']${nameAttr}["']\\s+content=["']([^"']*)["']`, "i");
+    const match = html.match(regex);
+    if (match)
+        return match[1];
+    // Also try content before name/property
+    const regex2 = new RegExp(`<meta\\s+content=["']([^"']*)["']\\s+(?:name|property)=["']${nameAttr}["']`, "i");
+    const match2 = html.match(regex2);
+    return match2 ? match2[1] : null;
+}
+function extractTitle(html) {
+    const match = html.match(/<title[^>]*>([^<]*)<\/title>/i);
+    return match ? match[1].trim() : null;
+}
+function extractCanonical(html) {
+    const match = html.match(/<link[^>]+rel=["']canonical["'][^>]+href=["']([^"']*)["']/i);
+    return match ? match[1] : null;
+}
+function extractRobotsMeta(html) {
+    return extractMetaContent(html, "robots");
+}
+function hasJsonLd(html) {
+    return /<script[^>]+type=["']application\/ld\+json["']/i.test(html);
+}
+async function runSeoDeep(url) {
+    console.log("  Running deep SEO audit...");
+    const html = await fetchPageHtml(url);
+    if (!html) {
+        return {
+            passed: true,
+            checks: [],
+            warningCount: 0,
+            errorCount: 0,
+            url,
+            skipped: true,
+            summary: "Skipped (could not fetch page)",
+        };
+    }
+    const checks = [];
+    // Title
+    const title = extractTitle(html);
+    checks.push({
+        key: "title",
+        label: "Page title",
+        passed: !!title && title.length > 0 && title.length <= 60,
+        value: title,
+        severity: "error",
+    });
+    // Meta description
+    const description = extractMetaContent(html, "description");
+    checks.push({
+        key: "description",
+        label: "Meta description",
+        passed: !!description && description.length > 0 && description.length <= 160,
+        value: description,
+        severity: "warning",
+    });
+    // Canonical
+    const canonical = extractCanonical(html);
+    checks.push({
+        key: "canonical",
+        label: "Canonical URL",
+        passed: !!canonical,
+        value: canonical,
+        severity: "warning",
+    });
+    // Robots
+    const robots = extractRobotsMeta(html);
+    const robotsNoindex = robots?.includes("noindex") ?? false;
+    checks.push({
+        key: "robots",
+        label: "Robots meta",
+        passed: !robotsNoindex,
+        value: robots ?? "(not set — defaults to index)",
+        severity: "error",
+    });
+    // Open Graph
+    const ogTitle = extractMetaContent(html, "og:title");
+    const ogDescription = extractMetaContent(html, "og:description");
+    const ogImage = extractMetaContent(html, "og:image");
+    const hasOg = ogTitle || ogDescription || ogImage;
+    checks.push({
+        key: "og",
+        label: "Open Graph tags",
+        passed: !!hasOg,
+        value: hasOg
+            ? [ogTitle && "title", ogDescription && "desc", ogImage && "image"].filter(Boolean).join(", ")
+            : null,
+        severity: "warning",
+    });
+    // Twitter Card
+    const twitterCard = extractMetaContent(html, "twitter:card");
+    const twitterTitle = extractMetaContent(html, "twitter:title");
+    const hasTwitter = twitterCard || twitterTitle;
+    checks.push({
+        key: "twitter",
+        label: "Twitter Card tags",
+        passed: !!hasTwitter,
+        value: hasTwitter
+            ? [twitterCard && "card", twitterTitle && "title"].filter(Boolean).join(", ")
+            : null,
+        severity: "warning",
+    });
+    // JSON-LD
+    const jsonLd = hasJsonLd(html);
+    checks.push({
+        key: "jsonld",
+        label: "JSON-LD structured data",
+        passed: jsonLd,
+        value: jsonLd ? "present" : null,
+        severity: "warning",
+    });
+    const errorCount = checks.filter((c) => !c.passed && c.severity === "error").length;
+    const warningCount = checks.filter((c) => !c.passed && c.severity === "warning").length;
+    const passed = errorCount === 0;
+    const parts = [];
+    if (errorCount > 0)
+        parts.push(`${errorCount} error(s)`);
+    if (warningCount > 0)
+        parts.push(`${warningCount} warning(s)`);
+    const summary = parts.length > 0
+        ? parts.join(", ")
+        : "All SEO checks passed";
+    console.log(`  SEO deep: ${summary}`);
+    for (const check of checks.filter((c) => !c.passed)) {
+        console.error(`    [${check.severity}] ${check.label}: ${check.value ?? "missing"}`);
+    }
+    return { passed, checks, warningCount, errorCount, url, skipped: false, summary };
+}

package/dist/typecheck.d.ts

@@ -0,0 +1,8 @@
+export interface TypecheckResult {
+    passed: boolean;
+    errorCount: number;
+    errors: string[];
+    skipped: boolean;
+    durationMs: number;
+}
+export declare function runTypecheck(projectDir: string, timeoutMs?: number): Promise<TypecheckResult>;